Introduction

— by Pat Cable, Senior Infrastructure Security Engineer, Threat Stack

From time to time Threat Stack invites industry experts to share our blog space, and in today’s post, Chris Lippert, Privacy Technical Lead at Schellman & Company, LLC., takes a look at the General Data Protection Regulation (GDPR), a topic that is on everyone’s mind, whether they’re prepared for it or not.

In this post, Chris explores what’s unique about the GDPR, how it overlaps with existing frameworks including ISO/IEC 27000, NIST, and PCI, and points to how you can leverage your current controls to meet many of the security considerations for personal data under Article 32, as well as other requirements of the GDPR, such as data protection policies or vendor management.

Note: The following post is related to Sensu, a monitoring tool for internal infrastructure health and alerting. If you use Sensu (https://sensuapp.org/) for internal monitoring of your own infrastructure health, this could be useful for you. However, this tool does not integrate with Threat Stack services and is not intended or supported for any such use case. It is a tool that we use internally, and we have released this with the intention that it may be helpful to the wider open source community.

Tooling is an integral part of operations at Threat Stack. On the Operations team, our job is to enable both ourselves and the Development team to work more effectively. When I started at Threat Stack almost a year ago, my role primarily centered on improving our tooling to create more granular control over our environment. My first project was creating “shush,” an operations tool for temporarily silencing monitoring checks in Sensu during maintenance. Up to that point, we had had less granularity in our check silencing capabilities for routine maintenance. While we could silence groups of checks and checks coming from a particular node, we were not able to silence single checks or a subset of checks on these hosts. After we discussed the requirements for this tool, I ultimately suggested that it be written in Rust.

The General Data Protection Regulation (GDPR) goes into effect on May 25, 2018, and despite being a European Union regulation, its effects are far reaching, as we’ll explain below. Regardless of where a company is based, it is subject to GDPR if it collects “personal data” from a person physically located in an EU country, provided the collection relates to offering goods or services or monitoring their behavior. Thus virtually any website that collects data would be subject to GDPR. Many SaaS organizations may feel overwhelmed by these new regulations or unsure of how they will (or won’t) apply to them.

Despite the flood of information that’s been published about the new regulation, many SaaS companies are still unclear about what GDPR means for them, so in this post, we have provided a brief definition of the GDPR followed by five key points you should be aware of.Read more “5 Things Your SaaS Company Should Know About GDPR”

At Threat Stack, we believe in building a security culture that starts at the top and functions as a cross-organizational discipline. Achieving this goal requires education and transparency among business partners. That’s why we at Threat Stack have built our own internal security council, which meets regularly and reviews issues that are relevant and timely for our organization.Read more “How a Cloud Security Company Runs Its Security Council”

As a SaaS company, your time and resources are valuable. You need to make solid, strategic decisions about where to focus your time and energy. You also need to ensure that your organization is secure and compliant in the ways that matter to you and to your customers.

GDPR. Meltdown. Spectre. SOC 2. Coming at you like mosquitos on a hot summer night, these topics are of top concern for board members and security teams alike this year. But what do you do when these issues really aren’t of concern to your particular organization? And how can you put your board and executive team at ease when these issues hit the news?

As a SaaS company, compliance is probably the last thing you want to think about as you kick off the new year. It can be complicated, but meeting compliance requirements can also open up new markets, speed up your sales process, and improve your company’s overall security posture. When it comes to improving your security maturity, compliance can serve as a useful part of your strategy.

Entering new markets, whether you’re targeting specific industry verticals or going after international customers, requires continuous education and awareness about the latest in compliance and regulatory standards as they relate to data privacy and security. With that in mind, this post takes a brief look at key standards in order to give you insights into the security and privacy requirements that may be pertinent to the way your SaaS company engages with prospects and customers and handles sensitive data. Read more “How SaaS Companies Can Build a Compliance Roadmap for 2018”